redline | 64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584

General

Target

c1c11c2deaa44f89902852b29dd3c263.exe
Size

296KB
MD5

c1c11c2deaa44f89902852b29dd3c263
SHA1

add50de2b2001b21b1db5aaccac2d4b4742f8a58
SHA256

64cd31d1eee9e95282294430654cc7e38065803da4d3b9167e92b3efd9645584
SHA512

8aa8cd9bd26f9c02e0ce2399e9d9818c716323e611cd7aff4c6c3fe9b8cf151f4cfd37028149c4c3403f72343ae89695c59f4f9e3486a52dc29f10e82a0f3142

Score

10^/10

redline discovery infostealer spyware

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3028-5-0x00000000065B0000-0x00000000065D9000-memory.dmp	family_redline
behavioral2/memory/3028-7-0x0000000006650000-0x0000000006677000-memory.dmp	family_redline

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c1c11c2deaa44f89902852b29dd3c263.exe

pid process

3028 c1c11c2deaa44f89902852b29dd3c263.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c1c11c2deaa44f89902852b29dd3c263.exe

description pid process

Token: SeDebugPrivilege 3028 c1c11c2deaa44f89902852b29dd3c263.exe

pid	process
3028	c1c11c2deaa44f89902852b29dd3c263.exe

description	pid	process
Token: SeDebugPrivilege	3028	c1c11c2deaa44f89902852b29dd3c263.exe

C:\Users\Admin\AppData\Local\Temp\c1c11c2deaa44f89902852b29dd3c263.exe
"C:\Users\Admin\AppData\Local\Temp\c1c11c2deaa44f89902852b29dd3c263.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-2-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3028-3-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3028-4-0x00000000737B0000-0x0000000073E9E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-5-0x00000000065B0000-0x00000000065D9000-memory.dmp

Filesize
164KB

Download
memory/3028-6-0x0000000008FE0000-0x0000000008FE1000-memory.dmp

Filesize
4KB

Download
memory/3028-7-0x0000000006650000-0x0000000006677000-memory.dmp

Filesize
156KB

Download
memory/3028-8-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/3028-9-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/3028-10-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/3028-11-0x0000000009B10000-0x0000000009B11000-memory.dmp

Filesize
4KB

Download
memory/3028-12-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/3028-13-0x000000000A970000-0x000000000A971000-memory.dmp

Filesize
4KB

Download
memory/3028-14-0x000000000AB40000-0x000000000AB41000-memory.dmp

Filesize
4KB

Download
memory/3028-15-0x000000000B170000-0x000000000B171000-memory.dmp

Filesize
4KB

Download
memory/3028-16-0x000000000B230000-0x000000000B231000-memory.dmp

Filesize
4KB

Download
memory/3028-17-0x000000000B2C0000-0x000000000B2C1000-memory.dmp

Filesize
4KB

Download
memory/3028-18-0x000000000C350000-0x000000000C351000-memory.dmp

Filesize
4KB

Download
memory/3028-19-0x000000000BF90000-0x000000000BF91000-memory.dmp

Filesize
4KB

Download
memory/3028-20-0x000000000C020000-0x000000000C021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing